[IE11 BUG ?] CSRF and IE11 (Internet Explorer 11) issue
sidopufn opened this issue · 7 comments
There appears to be a CSRF issue at login with ie11. To duplicate the issue, try the following in the latest version of ie11:
(1) Create a new account
(2) Activate the new account
(3) Attempt to Sign In
On occasion, you will get a redirect to home logged out, I think due to CSRF rejection. I cannot replicate the issue in any browser other than ie11, even though this should not be a browser specific issue. Clearing the cache, closing ie, and restarting resolves the issue.
Hey @sidopufn , I just tried this and created a new account with a totally new user and a totally fresh email adress inside IE11, the confirmed the account creating by clicking the link from the confirmation mail, which leads to the confirmation page that shows a go-to-homepage link. Clicking the links goes to login page, and signing in with the username / password successfully logs in.
I've just done this on a Windows 7 with latest IE11 (all current Windows 7 updates were made).
Can you reproduce this on another PC, with a totally fresh account ?
It turns out this was not a CSRF issue. I have this system running on a subdomain. It appears ie11 is very specific regarding session cookie domains. Adding a leading period to the / resulting in ./ in the config cookie location appears to have resolved the issue. No browser I tested had this issue other than ie11. Also, this issue was intermittent on ie11 machines.
I will follow up if anything changes re this fix.
Very frustrating 24 hours trying to figure this out.
Thanks, I've added this problem and the solution to the troubleshooting section of the Readme!
Following up on this ./ issue and ie, I initially though it was only an issue if the system was installed on a subdomain. But, it turns out the issue is also occurs if the system is installed on a root domain.
Perhaps the default should be "./" in COOKIE DOMAINS to reslove this issue?
Can you please give moredetails ? I could not reproduce this on the live demo in IE11.
It is an issue that I have appearing only in ie - now not just ie11 - and only when I have the missing period missing before the / in the COOKIE DOMAINS setting. Also, it is intermittent on machines with ie, and always clears when all cookies are cleared and the browser is restarted.
On a subdomain, I did two rounds of load testing with 50+ concurrent users. In the first round half the ie users had the problem. After the second round after adding ./ zero users had the problem. I then moved the domain to a root domain and removed the leading period, and the problem came back just as before on two test machines using ie11. So, I have re-added the leading period and it appears to have resolved the issue.
What happens is after a user logs in, the user is immediately redirected to the post-login page, as if logged in, and as always redirected to that page no matter what logged-in-user page the user attempts to navigate to. Because adding the leading period appears to resolved the issue, and because this issue only arises in ie, I have stopped trying to find the root cause of the issue and have decided to just move forward with this solution appearing to be a validated workaround.
I hope this explanation is helpful.
I've just pushed a little notice into the configs and linked this to http://stackoverflow.com/questions/2285010/php-setcookie-domain